Encrypted Data: Control the Keys

Recent high-profile breaches around the world have stripped organizations of critical data and their own reputations. These incidents have also hammered home the point that security practitioners have always known: data security is paramount. And nowhere is this more of a pressing concern than in the cloud today. (Also See: Ashley Madison CEO Loses His Job)

With cloud usage becoming ubiquitous, how are practitioners coping with the challenge of securing business critical data on third-party infrastructure?

"The biggest challenge the ability to ensure that the data is secure, and demonstrate this in an audit," says Mark Hickman, COO at security firm WinMagic. "It is much easier when the data is on your network. When you start to procure data into third-party clouds, the question becomes who has access? Where the encryption keys are stored?"

Doing encryption today has become quite simple, and pretty much anybody can do it, Hickman says. What becomes incredibly complicated with encryption is the key management. Hickman recommends that enterprises find a way to own their own keys, rather than depending on a third party or a cloud service provider, because the only way to ensure security is to make sure you are the one that's securing.

In this exclusive interview with ISMG, Hickman shares some of the trends going around in the Asian market when it comes to data security and encryption. He speaks about:

Biggest challenge in Securing data in the cloud;

Security beyond encryption;

This importance of key management.

Hickman is Chief Operating Officer at Winmagic. He is responsible for direct and channel sales, marketing, professional services, and global business development. Joining WinMagic in 2010, he brings over 18 years of software sales experience. Prior to joining WinMagic, he held senior sales management positions with Computer Associates, BEA Systems Inc., and RightNow Technologies. Hickman has been building strong sales teams for the past decade. He has consistently built new business and has grown organization's revenues extensively.

Asian Trends, Challenges

Varun Haran:: Mark, when you look at the global picture, what are some trends in cloud security that you are seeing in India and the Asian region?

Mark Hickman: I think they fall into two categories. Firstly it would be the advent of cloud storage, and we've seen this very much in the consumer areas such as iCloud, Google Drive and One Drive. Now we're seeing these jump into the enterprise with Dropbox, Box and other well known consumer services.

It poses a pretty significant problem for organisations, when people can just go and drop sensitive information into the cloud, for sharing at home or sharing it with other people without any security. We see it as a basic trend, and we also see it as way that is really replacing removable media like USB and using the cloud to share data.

The other area is where with the advent of Infrastructure As A Service we see facilities such as Amazon, Azure, IBM & Rackspace popping up. People really want to leverage their hardware investment and scale into the cloud. There is a pretty significant shift there as well, where people really need to secure this data, even though all these facilities offer so-called encryption. What people are worried about is that who owns the keys and the access to that data. They are much more comfortable if they themselves own the encryption keys.

Haran: From a real world perspective, when you interact with the industry, with partners etc., what are some challenges they are faced when it comes to storing data on the cloud? What are the security challenges that your customers are sharing with you?

Hickman: I think the biggest challenge is the ability to ensure that the data is secure. It is much easier to ensure that the data is secure in your facility on the network. When you start to procure data into third-party clouds, where their admins have access to that data, the question becomes where are the keys stored - are they stored in the cloud, or are they stored locally? These are the kind of challenges faced by organizations, especially when there is a lot of sensitive data - the ability to prove in an audit that their data is secure.

Data Security Hygiene

Haran: What are some recommendations you can make to the practitioner community on going beyond encryption when it comes to securing data?

Hickman: I think there are many in that area. For instance, we have a lot of well-built secure protocols being used today which are quite secure. Encryption really is the ability to make data unreadable. Doing encryption today has become quite simple; pretty much anybody can do it. What becomes incredibly complicated with encryption is the key management. What I recommend to enterprises is to own your own key.

I liken it to how you wouldn't give your front door keys to many different people. You would always make sure that that key only goes to people that are really trusted, or you are the only person with that key. A similar kind of situation exists in the cloud around key management, and this is one area in cloud security that is growing really fast. It is really around ensuring that that data is secure and unreadable in the cloud; that the only person who can view that data are the people you want, and there is no third-party access, including the cloud provider. You can never depend on a third party to keep your data safe - you have to ensure your data is safe. In spite of assurances, we seen over and over that there can be breaches in the cloud, and the only make to ensure security is to make sure you are the one that's securing.

Encryption is Essential

Haran: Since we are on the topic of encryption, I don't know if you know, but the Indian government recently released a draft bill on data encryption, which was later withdrawn. But if it had come into force, it would have entailed a sort of key escrow regime. What is your take on how something like this would likely affect the security ecosystem?

Hickman: I was in India when the draft was withdrawn, and we've also heard similar things in Europe - governments trying to control, and even remove encryption; we've heard the FBI director say that the most dangerous products on the market are Apple and Android. To me, encryption may be used by people with bad intentions, just like pretty much everything else in life. However the benefits of encryption far outweigh the drawbacks. The world we live now, with the number of data breaches happening, would people feel secure if corporations didn't use encryption? (Also See: Draft Encryption Policy Meets Swift Demise)

I think Edward Snowden really proved just how damaging data breaches can be. There have been numerous data breaches where consumers lose confidence in the brand, stock prices fall, and executives get fired. So, I think legislation around encryption is a tricky area. For instance, if you are asking for backdoors for encryption, then it's not really encryption. So this is going to be a difficult topic for governments, but I think the use of encryption is a positive thing for economies and countries.

About the Author

Haran has been a technology journalist in the Indian market for close to six years, specializing in information security. He has driven industry events such as the India Computer Security Conference (ICSC) and the Ground Zero Summit 2013. Prior to joining ISMG, Haran was a correspondent with TechTarget and InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;